yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1575909] Re: VPN shared PSK shown in plaintext

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Mon, 30 May 2016 15:41:21 -0000
Reply-to: Bug 1575909 <1575909@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Based on above comment, I removed the OSSA task.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1575909

Title:
  VPN shared PSK shown in plaintext

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  In the neutron VPN details and form,
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43
  and
  https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249
  don't offer the option of hiding the string. Typically sensitive
  information like passwords is hidden by default, requiring the user to
  explicitly choose to make it visible by clicking an icon (like the eye
  icon).

  Filing this as a security bug out of an overabundance of caution;
  while it is related to security it doesn't describe a vulnerability
  that can be exploited by means other than shoulder surfing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1575909/+subscriptions